Security-conscious users, rejoice; Google has launched support for Security Key, an open-source platform that relies on hardware to generate security codes used by Google’s two-factor authentication.

If data breaches of increasing severity have taught us anything, it is that passwords are an imperfect form of security. Savvy users who have known this for years long ago adopted measures to better protect themselves against hacks. But these extra steps have, more often then not, come at the sacrifice of convenience.

That is where Security Key differs. Two-factor authentication with services that tap into the open standard is as easy as plugging in compatible hardware before entering your password – no need to dig out your smartphone and generate a security code every time you want to check your e-mail.

Sadly, Security Key is simpler in theory than in execution; only a select number of USB peripherals have been certified for use, and Google is only supporting the standard on newer desktop versions of Chrome. Still, plugging in a USB dongle you can keep on a keyring sounds infinitely easier than what two-factor authentication currently requires.

Using Mobile maybe a smarter way to do a two factor authentication. Apple already does this in some cases when i try to access a service from my iPad it asks me to confirm my credentials from iPhone. more main stream implementation of such services will be a great option.

It would be perfect if I could use my already existing CAC that I use for military/DoD (two factor) authentication. Not like Google doesn’t already have all that info anyways. =p

ddevito

Indeed USB isn’t the best, but the Security key architecture allows this
to be used with Bluetooth and NFC as well, so expect to see updates
with those two options as well.

Logan Boyd

“Still, plugging in a USB dongle you can keep on a keyring sounds infinitely easier than what two-factor authentication currently requires.”
I use Google’s 2-step authentication and it is quite easy. My phone receives a text with a code and I type the code in. I don’t carry a KEY RING, my car key stays in my pocket since I have a push-to-start car and I enter my house through my garage so I don’t have a house key either. I’m also certain that I can receive, read and type in my 4-6 digit code from my 2-factor auth logins faster than you can get a USB dongle out of your pocket and plugged in to your laptop. I like having the option but I think you go a bit far in describing the difference in complexity between these 2 options.

DanSan

I always used the app, I assume settings for SMS alerts when trying to log in can be turned on the authentication settings in gmail?

NastyEmu

It’s under your google account settings, not in gmail.

DanSan

Yea thats what I meant, just use to accessing it through gmail.

Logan Boyd

I used to use Google Authenticator app as well, but with my Google Voice number, the code shows up on my computer so I didn’t even have to pull my phone out of my pocket or have my phone on me. I use 2-factor to prevent 3rd parties who do NOT have access to my desktop, laptop, phone from being able to log in by simply knowing or guessing my user/pass combo.

r0l

I understand this might be technically quicker than an Authenticator auth code. However I always have my phone I will inevitably leave this at home/work, not to mention I really don’t want another device to keep track of.

Unless this picks up support for more services than Google’s authenticator supports I can’t see people already using 2-step via code switching to this.

Sadly, as much as I want this, working in a space where plugging anything in USB is incredibly prohibited, I can never own one 🙁

Michael Hammond

We have the same thing where I work, but HASPs are allowed since they don’t actually have data that copies from them and you can’t copy data TO them. Our infrastructure is Sophos and we have USB and DVD/CD drives disabled; but these work fine without breaking any security protocols. In fact, security keys like this are welcomed.

boisvert00

Sophos is great, especially for locking down systems in that fashion, sometimes it can be a bit too granular though. Used to work there, this is very much like the Safeguard key ring.

Kevin

Where the hell do you work?

droidrazredge

I’m definitely going to purchase one of these when their available to buy.

CoolSilver

Yubikey NEO versions will support this protocol. Already available

UndergroundWire

Be careful. Not all Yubikey NEO support U2F. The ones they sell now (since August 2014 I believe) have U2F built in. Older ones do not.

CoolSilver

Mine currently does not but they are working on a firmware upgrade per the Yubikey Blog.

Donnie_Eldridge

YubiKeys are not upgradable by design…. “You will need a YubiKey NEO with firmware version 3.3 or above to support U2F – that firmware was released at the end of September 2014. Older YubiKey NEOs which do not support U2F will be indicated by the NEO Manager tool, and cannot be upgraded to the newer firmware. The firmware of all YubiKeys is locked down to prevent attacks against the YubiKey directly, like the BadUSB attack.”

UndergroundWire

Was about to state that. I think what he read was the hardware will be upgraded.

Steven Castro

When are these being being sold or given out?

CoolSilver

Yubikey NEO versions will support this protocol

AngryBadger

On the other hand… what about smart watches for this?

Bionicman

in regards to 2 factor authentication, what i do is, i always get my gmail emails on my Gear Live so whenever i need the code, its always easily available.

Fernando Gonzalez

You don’t use the Google Authenticator app? If they made it Wear compatible that would be awesome.

Bionicman

yea that would be. I guess what I’m saying is, since i get the txt’s on my watch, i read the code from there without having to look at my phone – makes it a tad bit more convenient.

The USB Stick is one of two ways to access your account. So if you activate the U2F device, it doesn’t mean you have to use it. It will prompt you for the code you get from the app (or alternatively through a text message) or you can just plug in the U2F device.

WAldenIV

There is no way to know who owned it, making it useless to a stranger/thief. You would have to use the app to generate the codes if you lost it.